Information about SSL bug
By Wayne Thayer, VP Security Products
January 12, 2017
Friday, Jan. 6, we learned about a bug that impacted our SSL
certification validation process. The bug was introduced on July 29,
2016, and impacted less than 2 percent of the certificates issued from
July 29, 2016, to Jan. 10, 2017. It affected approximately 6,100
customers. The software bug that created the issue has been remedied. We
continue to closely monitor the system. We will revoke these
certificates at 9 p.m. (PST) Jan. 10, 2017. We are actively working with
our customers to reissue their SSL certificates.
GoDaddy inadvertently introduced the bug during a routine code change
intended to improve our certificate issuance process. The bug caused the
domain validation process to fail in certain circumstances.
In a typical process, when a certificate authority, like GoDaddy,
validates a domain name for an SSL certificate, they provide a random
code to the customer and ask them to place it in a specific location on
their website. When their system searches and finds the code, the
validation is complete.
However, when the bug was introduced, certain web server configurations
caused the system to provide a positive result to the search, even if
the code was not found.
Instructions for affected GoDaddy SSL customers
For customers who were impacted, we have already submitted a new
certificate request on your behalf at no additional cost. You simply
need to log in to your GoDaddy account; once there, go to your SSL Panel
and initiate the certificate process.
This process will be identical to the process you followed when your
previous certificates were issued. The SSL Panel provides information
and instructions that should allow you to easily process the certificate
online. The time it takes for a new certificate to issue will vary
depending on each customerís circumstances, but please know we are
working diligently to get all new certificates issued as quickly as
We deeply apologize for the inconvenience to our customers.
Since 2004, weíve issued nearly 10 million certificates. This is the
first time weíve experienced an issue of this nature, and although only
a small fraction of our certificate customers were impacted, we take the
SSL bug FAQ
What is the specific problem with the SSL certificates, and has the
problem been fixed?
Due to a software bug that GoDaddy inadvertently introduced during a
routine code change intended to improve our certificate issuance
process, the domain validation process for a small percentage of our
recently issued certificates failed. In accordance with industry
standards as a Certificate Authority, the potentially impacted
certificates were revoked as a precautionary measure (effective 9 p.m.
(PST) January 10). The software bug that created the issue has been
remedied. We continue to closely monitor the system.
What does it mean for a website when its certificate is revoked? Will
the website go offline?
The website will not go offline; it will continue to resolve, even
though the certificate is revoked. Visitors to a website with a revoked
certificate might see error messages and/or warnings, which are issued
by the browser used by the website visitor (e.g., Chrome, Firefox,
Safari, IE, etc.). However, if a new certificate is obtained and
installed before the existing certificate is revoked, visitors to the
website will not see any error messages/warnings.
How do impacted customers obtain a new certificate for their website,
and how long will it take?
For impacted customers, we have already submitted a new certificate
request on their behalf at no additional cost. Those impacted customers
simply need to log in to their GoDaddy account at www.godaddy.com. Once
there, go to the SSL Panel and initiate the certificate process.
This process will be identical to the process they followed when their
previous certificates were issued. (If a customer has more than one
revoked certificate associated with their customer account, they will be
able to initiate the certificate process for each domain within the SSL
Panel.) The SSL Panel provides helpful information and instructions that
should allow customers to easily process the certificate online.
The time it takes for a new certificate to issue will vary depending on
the customerís circumstances, but please know we are working diligently
to get all new certificates issued as quickly as possible.
Does revocation of my certificate impact the security of visitors to my
Not in this case. Although the certificate has been revoked, and various
browsers might issue a warning message, revocation of the certificate
does not eliminate encryption and other security measures enabled by the
my website misused by an unknown third party?
We are unaware of any customer websites being misused as a result of the
How will I know when a new certificate has been issued?
We will send a notification to the customer via email.
What additional steps must a customer take after the new certificate is
Customers whose websites are hosted at GoDaddy do not need to do
anything once the new certificate is issued; GoDaddy will handle the
installation of the new certificate on the customerís website. However,
those customers whose sites are hosted elsewhere will need to install
the new certificate on their websites once they are notified it is